On 29/06/2012 17:45, Steingruebl, Andy wrote:
-----Original Message-----
From: Alexey Melnikov [mailto:[email protected]]
Maybe this is not a good example, but I am thinking that something like
OCSP retrieval failing on the client side is not something that would
show up in the webserver logs.
Sure, but doesn't the OCSP site know whether it has set HSTS?
You might be thinking of a different usage of OCSP.
I was thinking about: a browsers gets certificate from TLS. It tries to
verify it using OCSP against a third party OCSP server. The OCSP server
is down. Now the website the browser is trying to access is effectively
down with HSTS enabled.
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
